Description
SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges to access user sensitive data such as passwords in trace files, when the user logs in and sends request with login credentials, leading to Information Disclosure.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202
Permissions Required, Vendor Advisory x_refsource_misc
https://launchpad.support.sap.com/#/notes/2826528
Scores
CVSS v3
6.2
EPSS
0.0026
EPSS Percentile
49.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
Details
CWE
CWE-532
Status
published
Products (7)
sap/netweaver_application_server_java
7.10
sap/netweaver_application_server_java
7.11
sap/netweaver_application_server_java
7.20
sap/netweaver_application_server_java
7.30
sap/netweaver_application_server_java
7.31
sap/netweaver_application_server_java
7.40
sap/netweaver_application_server_java
7.50
Published
Apr 14, 2020
Tracked Since
Feb 18, 2026